Earlier this year I was playing around on the schools computers and found out the administrative password to a computer in my classroom. I realized how XP stored their passwords, booted into Ubuntu, and took the SAM and SYSTEM files. I was wondering if it was possible to store these passwords on a remote computer and use roaming desktops, so that if one system was compromised the passwords would still be safe because they were not stored on the local machine, but a remote one that only verifies their access to the domain? This would ideally be some computer server locked up somewhere like in the office or network closet, but any advice or comments on the subject would be nice. Thanks for any help

3 Answers
3

Yes it is, you must have the computer on a domain and disable password caching. Know that if you do this you will receive the error "The system cannot log you on now because the domain is not available." if the domain server is down.

This can be done by setting a group policy to have HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\CachedLogonsCount set to 0.

Forget Kerberos, it's too labor-intensive/expensive to deploy. The poster of this question has had a valid 'eureka moment'. But, seems to forget that while the passwords are no longer cached in his/her scenario, they can still be sniffed and captured on the wire.

However, the main principle of the poster's observation (i.e., eliminating weak links and reducing the vectors for attack via storage of credentials on a central identity server) still stands. I've noticed this same principle has already translated to cloud-based apps and webware with companies offering Single Sign On services (i.e., storing credentials on a central and secure cloud server to simplify access and promote the use of more complex and diverse passwords). These services translate into Identity management ...much more than simple password management.

The recent Sony Playstation Network hack revealed that even 'tech savvy' and 'security conscious' users are re-using the same password across the ever expanding number of online accounts. Of course they were ...and likely still are! How many passwords can a person remember? Only a Single Sign On service that can link to Active Directory can come close to a total solution.

Anyone come across a service offering like this yet? I am beta-testing one solution now at www.smartsignin.com The encryption they have implemented does not utilize a single, 'whole' key on their cloud identity server that can decrypt your stored credentials. Instead the key is split between the server and the user's system. The user thus controls the decryption in real time from their browser for each and every account they access from their new centralized identity profile. Pretty cool, I think. They also have multi-factor authentication to prevent sessions from being hi-jacked. Take a look and let me know what you think.

I don't consider most "Gamers" to be "tech savvy" or even aware of the basic principles of "computer security" as shown by the most recent Sony attack. Considering a large majority of "Gamers" are to young to care about basic computer security. Those most that are old enough to pay for their own habit, care just enough not to get their identity stolen, in other words most people simply do not take the time required to secure stuff like a Sony online account.
–
RamhoundDec 15 '11 at 13:33

As you had just demonstrated with your Ubuntu bootup, I'd also take the steps to lock down any USB or CD/DVD booting on the local machines to prevent any attempted bypassing of the (I'm presuming) AD UACs and potentially gain access to the local network.

If the admins are smart, they'd have all internal data traverse a firewall (as well as external data) to keep any unauthorized users that happen to be in the local domain from pivoting to another machine or user somewhere else in the domain or to another domain entirely for various nefarious reasons.